Hi, Antoine!
trying to protect applications by protecting the communication network (which is what you describe in your text) is not operating at the right layer: protecting applications must be made at the application layer, not at the transport layer. Furthermore, developers can ensure that only authorized applications can send data to this application, that all applications are authenticated and cannot be impersonated, and that all communications are encrypted going in and out of the applications.
regards
Andre
________________________________
From: AF [mailto:newsalaksa at nxtg.net]
Sent: Mon 17/07/2006 3:25 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] application attacks
Hi there!
I think the mistake is in this sentence:
> Now, every developer know how to
> protect their web applications against application attacks such as SQL
> Injection,XSS, HTTP smuggling, and others. So could someone give me some
> clear image about that. What's wrong?
The question is "Who's wrong ?"
The answer is : You. : )
That's a fact: many web developpers still don't know how to implement security
principles. Many don't even know security principles exist!
So when it comes to sql injection, xss, splitting, applogic, and so on... well... there's
still a lot of work ahead of us to do. This applies to almost every industry!
Pentesting, for fun, but also teaching and spreading the information around us,
as much as we can. That's it. That's what we can (have to?) do.
@ntoine
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060717/ff5c6ac5/attachment.html>